debug User-Profile

MichaelLeung gbcbooksmj at gmail.com
Fri Mar 18 09:55:20 CET 2016


finially, i config out how it works

first, edit mods-available/ldap
in global section
add:

valuepair_attribute = "radiusReplyItem"

in profile section
uncommecnt and change the default values
profile {
     default = "%{control:User-Profile}"
}

go to policy.d/ directory
create a policy , whatever your name it
whatevername {
     if (Ldap-Group == "groupname in LDAP, or DN") {
         update {
             $control:User-Profile == "profile dn in LDAP"
         }
         updated
     }
     else {
         reject
     }
}

go to site-available/ directory

edit the virtual server you want

in the authorize section

add the policy in to it





On 03/18/2016 02:07 PM, MichaelLeung wrote:
> i find this in wiki.freeradius.org
>
>
>   LDAP ATTRIBUTES
>
> In version 2, the mapping between RADIUS attributes 
> <http://wiki.freeradius.org/protocol/Attributes> and LDAP 
> <http://wiki.freeradius.org/protocol/LDAP> attributes is in 
> raddb/ldap.attrmap. You can edit that file and add any new mapping 
> that you may need. The LDAP-schema file is located in 
> doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the ldap 
> server schema should be updated.
>
> All ldap entries containing radius attributes should contain at least 
> "objectclass: radiusprofile"
>
> radiusCheckItem and radiusReplyItem are special. They allow the 
> administrator to add any check or reply item respectively without 
> adding it in the ldap schema. The format should be:
>
> ldap-attribute: radius-attribute operator value
>
> The version 3 attribute mapping is in the module configuration file 
> |raddb/mods-available/ldap|
>
> For Example:
>
> radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
>
>
> but i dont understand , if we mapping the radius attr and ldap attr, 
> then give it a values ,  why do we stored the replyitem in LDAP.
>
>
> On 03/18/2016 01:46 PM, MichaelLeung wrote:
>> does freeradius 3.0.4 still have ldap.attrmap ?
>>
>> On 03/18/2016 12:46 PM, MichaelLeung wrote:
>>>  how can i get radiusReplyItem from LDAP?
>>>
>>> On 03/18/2016 09:25 AM, MichaelLeung wrote:
>>>> any help ?
>>>>
>>>> On 03/17/2016 05:31 PM, MichaelLeung wrote:
>>>>> any reply ?
>>>>>
>>>>> On 03/17/2016 03:20 PM, MichaelLeung wrote:
>>>>>> well , i define a ldap-group check policy
>>>>>>
>>>>>> #
>>>>>> devicemanager_check {
>>>>>>         if (Ldap-Group == "DeviceManager") {
>>>>>>                 update reply {
>>>>>> &User-Profile := 
>>>>>> "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
>>>>>>                 }
>>>>>>         }
>>>>>>         elsif (Ldap-Group == "Device_Write") {
>>>>>>                 update reply {
>>>>>>                         &Reply-Message += "Welcome,Device Operator"
>>>>>>                 }
>>>>>>         }
>>>>>>         elsif (Ldap-Group == "Device_Reivew") {
>>>>>>                 update reply {
>>>>>>                         &Reply-Message += "Welcome Device Reviewer"
>>>>>>                 }
>>>>>>         }
>>>>>>         else {
>>>>>>                 update reply {
>>>>>>                         &Reply-Message += "you are not authorized 
>>>>>> to access , please confirm that you have the permission..."
>>>>>>                 }
>>>>>>                 reject
>>>>>>         }
>>>>>> }
>>>>>>
>>>>>> i am not sure that user override the User-Profile or not.
>>>>>>
>>>>>>
>>>>>> On 03/17/2016 10:56 AM, MichaelLeung wrote:
>>>>>>> hi list
>>>>>>>
>>>>>>> my freeradius version is 3.0.4
>>>>>>>
>>>>>>> i have enabled ldap modules and the radius profile feature of it .
>>>>>>>
>>>>>>> and i need to check the user is in the speacific Ldap-Group, and 
>>>>>>> assign the User-Profile which contain all radius Reply-Items in it .
>>>>>>> so when my  NAS  try to authenticate , i can only  see radius -X 
>>>>>>> responding :
>>>>>>> (0) Sending Access-Accept packet to host 10.1.1.13 port 1812, 
>>>>>>> id=96, length=0
>>>>>>> (0)     User-Profile := 
>>>>>>> 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
>>>>>>> it was not going to print out what reply item the User-Profile 
>>>>>>> contained.
>>>>>>> and actually, i define the reply item as
>>>>>>> Huawei-Exec-Privilege := "15"
>>>>>>> it will give the highest admin right to the user belong to Group 
>>>>>>> Device_Superior to Operate the Device .
>>>>>>>
>>>>>>> how can i debug the User-Profile?
>>>>>>
>>>>>
>>>>
>>>
>>
>



More information about the Freeradius-Users mailing list